Hack4S3cur1ty
[Seccon Beginners 2018][Rev] Activation 본문
파일을 받아 확인해 보니 .net 이었다.
dnspy를 키고 분석해보니 난독화를 해놔서 드러웠지만 상관없다. dnspy로 디버깅 하면서 보면 된다.
대충 보면 먼저 특정 드라이브 검색 후 특정 파일이 있나 확인하는데 그냥 NOP로 처리해버리면 된다.
그 후 시리얼키를 받고 AES 암호화 후 어떤 값과 비교하는데 브포 걸고 디버깅 해보면 비교값을 알 수 있다.
IV와 KEY가 테이블에 저장되어 있고 간단한 연산을 하기 때문에 쉽게 구할 수 있고, 비교값을 AES Decrypt 하면 플래그를 구할 수 있다.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 | import binascii from Crypto.Cipher import AES def getinfo(): table = [231,202,193,199,249,198,194,201,205,212,142,217,199,202,200,138,251,216,204,208,200,222,200,212,221,221,139,210,217,218,196,218,228,238,230,253,161,230,226,253,247,247,226,238,254,169,252,228,247,247,219,245,247,252,247,189,176,221,245,233,226,181,180,225,133,203,155,157,143,157,152,205,131,128,148,136,144,134,144,140,149,149,214,243,244,188,148,152,145,152,208,133,158,146,212,145,163,184,163,231,224,225,198,142,150,133,244,131,241,130,245,150,159,152,155,150,144,128,158,152,149,154,158,159,147,133,135,4,1,108,64,93,68,12,68,81,3,78,78,82,7,77,75,73,94,74,77,91,91,18,120,64,65,95,67,117,95,81,86,97,43,124,97,107,47,109,110,118,106,118,96,114,110,107,107,58,120,119,125,123,49,50,51,24,86,35,114,38,94,113,115,9,8,90,16,59,45,89,10,20,51,55,6,3,86,18,45,43,48,83,45,60,10,41,36,8,32,36,70,30,35,95,35,56,27,12,33,36,13,56,125,10,0,1,46,115,1,8,42,50,61,43,118,42,109,10,59,103,18,51,37,63,33,53,33,207,207,134,224,192,201,195,223,207,194,212,200,201,201,229,198,206,210,206,216,202,214,211,211,146,208,223,213,211,151,221,198,170,226,230,239,227,229,233,172,172,193,226,242,238,242,228,238,242,247,247,165,252,243,240,226,252,254,244,248,227,187,248,139,130,134,158,135,129,136,130,149,205,152,128,139,139,183,145,155,143,141,138,178,158,158,152,158] data = '' for i in range(len(table)): data += chr((table[i] ^ i ^ 170) % 256) IV = data[103:103+8] * 2 key = data[111:111+16] return IV, key class PKCS7Encoder(object): def __init__(self, k=16): self.k = k def decode(self, text): nl = len(text) val = int(binascii.hexlify(text[-1]), 16) if val > self.k: raise ValueError('Input is not padded or padding is corrupt') l = nl - val return text[:l] IV = getinfo()[0] key = getinfo()[1] enc = "E3c0Iefcc2yUB5gvPWge1vHQK+TBuUYzST7hT+VrPDhjBt0HCAo5FLohfs/t2Vf5" decrypt = AES.new(key, AES.MODE_ECB, IV) plain = PKCS7Encoder().decode(decrypt.decrypt(enc.decode('base64'))) print plain | cs |
'CTFs > 2018' 카테고리의 다른 글
| [Seccon Beginners 2018][Pwn] condition (0) | 2018.05.28 |
|---|---|
| [Seccon Beginners 2018][MISC] てけいさんえくすとりーむず (0) | 2018.05.28 |
| [Seccon Beginners 2018][Crypto] RSA is Power (0) | 2018.05.28 |
| [Seccon Beginners 2018][Rev] Simple Auth (0) | 2018.05.28 |
| [Seccon Beginners 2018][Rev] crackme (0) | 2018.05.28 |
Comments